osquery-defense-kit

mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-08 22:39:28 +00:00

Author	SHA1	Message	Date
Thomas Stromberg	ef5d8afdd0	False positives: homekit, setxid overflows, buildx, tmp files	2023-01-18 10:57:43 -05:00
Thomas Stromberg	7b79b19090	False positive reduction: Messenger, Chrome, Final Cut Pro, etc	2023-01-18 09:49:56 -05:00
Thomas Stromberg	d415b36b57	FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc	2023-01-16 12:56:39 -05:00
Thomas Stromberg	e3401a07c6	Weekend false-positive flush	2023-01-14 08:19:26 -05:00
Thomas Stromberg	1b79359b68	Friday False Positive Flush	2023-01-13 14:10:43 -05:00
Thomas Stromberg	420d269025	Reformat and reduce false positives	2023-01-09 15:10:48 -05:00
Thomas Stromberg	c7e4252af1	Remove false positives, fix some queries that failed to show a parent pid	2023-01-09 10:46:30 -05:00
Thomas Stromberg	e8af31a348	false positives: dots, ipn, apport-gtk, homebrew, hyperkey, contexts	2023-01-09 09:34:20 -05:00
Thomas Stromberg	4eb6993272	Catch up to some older false positives we ran into	2023-01-06 17:11:24 -05:00
Thomas Stromberg	a8b95a2c9e	New Years cleanup: monitorix, snap-confine, steam, spotify, etc	2023-01-03 08:50:19 -05:00
Thomas Stromberg	49a19a6fd5	Sort out more false positives	2022-12-16 17:37:32 -05:00
Thomas Stromberg	404adf3e1f	Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc	2022-12-15 16:51:58 -05:00
Thomas Stromberg	16f9b2f3ee	Remove more false positives: kind, gopls, docker.socket, etc	2022-12-15 10:20:16 -05:00
Thomas Stromberg	60e5435ed4	Allow mount-product-files and / (bad data), add cgroup_path	2022-12-15 09:20:41 -05:00
Thomas Stromberg	76d5c8564b	Resolve latest reported false positives	2022-12-02 11:20:18 -05:00
Thomas Stromberg	b9e0ad34a3	Post-Thanksgiving false positive flush	2022-11-28 16:06:07 -05:00
Thomas Stromberg	6a7c4b6668	Pre-Thanksgiving False Positive cleanup, including Pop!OS support	2022-11-22 09:21:03 -05:00
Thomas Stromberg	8e3d6a1614	False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc	2022-11-18 10:27:43 -05:00
Thomas Stromberg	9f63e3b21d	Begin making use of cgroup_paths, clear more false positives	2022-11-16 16:52:39 -05:00
Thomas Stromberg	3d7bc8363e	More false positive management	2022-11-16 14:49:36 -05:00
Thomas Stromberg	3dec23370c	More exclusions	2022-11-08 12:59:11 -05:00
Thomas Stromberg	f93a18d112	Refactor execdir, remove false positives	2022-11-07 20:36:37 -05:00
Thomas Stromberg	180efa23e0	Add karabiner_session_monitor exception	2022-11-04 09:57:41 -04:00
Thomas Stromberg	187aacf092	Add a melange build exclusion	2022-11-03 14:25:35 -04:00
Thomas Stromberg	e7e714c9db	Make another stab at reducing false positives across the map	2022-11-03 11:51:54 -04:00
Thomas Stromberg	c1b7829797	Add setxid-cmdline-overflow-attempt.sql	2022-10-29 19:58:59 -04:00
Thomas Stromberg	6c78695b73	Final KubeCon 2022 false-positive cleanup	2022-10-28 19:24:00 -04:00
Thomas Stromberg	897c96bd33	Remove more in-the-wild false positives	2022-10-27 16:55:00 -04:00
Thomas Stromberg	a00af6c1fa	Merge another day worth of false positives	2022-10-27 10:23:15 -04:00
Thomas Stromberg	23351973ea	detection: Reduce Linux desktop false positives	2022-10-25 11:39:51 -04:00
Thomas Stromberg	e6a24545c2	Add update-notifier -> pkexec exception	2022-10-25 09:20:18 -04:00
Thomas Stromberg	13d10c6af1	Add spacing (sqlformat)	2022-10-21 17:39:53 -04:00
Thomas Stromberg	eedfdfb23d	Fix table joins: hash->phash	2022-10-21 17:38:29 -04:00
Thomas Stromberg	e90dc53072	Add newline	2022-10-21 17:37:35 -04:00
Thomas Stromberg	a64465f07b	Add exception for melange/wolfi	2022-10-21 12:13:16 -04:00
Thomas Stromberg	195330da9a	Fix docker-mounting-root query that got stomped on	2022-10-21 12:05:06 -04:00
Thomas Stromberg	ab94de7770	Add a lot more mitre data	2022-10-19 16:56:32 -04:00
Thomas Stromberg	2b5ea76729	Apply 'npx sql-formatter -l sqlite'	2022-10-17 19:06:17 -04:00
Thomas Stromberg	9616a6ab36	Use 'rapid' instead of 'continous' for tagging	2022-10-17 08:43:29 -04:00
Thomas Stromberg	f2023c0021	Update interval tags, mostly for persistence	2022-10-14 14:26:49 -04:00
Thomas Stromberg	d2bdffe89e	Add support for interval tags	2022-10-14 14:19:13 -04:00
Thomas Stromberg	06fd003475	Use single-quotes for Kolide compatibility	2022-10-14 10:29:23 -04:00
Thomas Stromberg	3c6d4968e1	Add two Docker checks that can catch Traitor	2022-10-14 09:16:48 -04:00
Thomas Stromberg	dc9493ee1e	Tighten down the field list, update metadata	2022-10-14 09:16:24 -04:00
Thomas Stromberg	4a7f734c81	Add metadata, mark as Linux only.	2022-10-14 08:42:10 -04:00
Thomas Stromberg	20452b128b	Migrate query strings from double to single apostrophes	2022-10-13 14:59:32 -04:00
Thomas Stromberg	26ee658c4a	Initial re-organization around the MITRE ATT&CK framework	2022-10-11 21:53:36 -04:00

47 Commits